SeeThis?
Hashicorp vault - docker prod server setup
green iguana

Install and setup Hashicorp vault using docker and authorize using ODBC Keycloak.

Create directory structure:

├── backup
├── config
│   └── config.hcl
├── data
├── logs

mkdir -p backup config data logs
```bash

Create `data/config.hcl` :
```bash
storage "raft" {
  path    = "vault/data"
  node_id = "node1"
}

listener "tcp" {
    address     = "0.0.0.0:8200"
    tls_disable = "true"
}

disable_mlock = true

api_addr = "http://0.0.0.0:8200"

cluster_addr = "http://127.0.0.1:8201"

ui = true

Run docker container:

docker run --rm --name="vault" -p8200:8200 -p8201:8201 --cap-add=IPC_LOCK -v `pwd`:/vault vault server

Open WEB UI:

http://localhost:8200/ui/vault/init

Choose Create a new Raft cluster on WEB UI

Run command

docker exec -it vault ash

Inside docker container execute this commands:

export VAULT_ADDR='http://127.0.0.1:8200'
vault operator init

It will generate 5 shared keys.

example output of vault operator init command:

Unseal Key 1: w73rz287ifgsjdfgwuezgf
Unseal Key 2: sudztgfcg8twetf8eqwgfs
Unseal Key 3: iqrz78qfz87q3f328gf832
Unseal Key 4: owez32fz83277zf8327f23
Unseal Key 5: 3uwezfguwzegfuzwefguzw

Initial Root Token: hvs.sakhjbfiefz8q7q

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated root key. Without at least 3 keys to
reconstruct the root key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Go to WEB UI and Unseal Vault with any of Unseal Keys generated in previous step.

After that login with Initial Root Token.

How to login with Keycloak (19.0.1)

Open WEB UI and go to Access > Auth Methods -> Enable new method -> OIDC

Choose Next -> Enable Method

Configure OIDC example

Curl:

curl --request PUT \
  --url http://127.0.0.1:8200/v1/auth/oidc/config \
  --header 'Authorization: Bearer hvs.XXXXXX' \
  --header 'Content-Type: application/json' \
  --data '{
	"default_role": "reader",
	"oidc_client_id":"vault",
	"oidc_client_secret":"KCXXXXXXX",
	"oidc_discovery_url":"https://keycloak.example.com/realms/myrealm"
}'

Create role

curl --request POST \
  --url http://127.0.0.1:8200/v1/auth/oidc/role/reader \
  --header 'Authorization: Bearer hvs.XXXXXX' \
  --header 'Content-Type: application/json' \
  --data '{
	"bound_audiences": "vault",
	"allowed_redirect_uris": "http://localhost:8200/ui/vault/auth/oidc/oidc/callback",
	"user_claim": "sub",
	"groups_claim": "resource_access/vault/roles"
}'

Map Keycloak to Vault role

Keycloak side.

Dedicated scopes

  • Open client (example client name vault)

  • Open tab client scopes

  • Open Dedicated scope and mappers for this client(vault-dedicated)

  • Click Add mapper -> From predefined mappers

  • Search for roles, select client roles and click Add

  • Click on newly created Token mapper (client role)

  • For Client ID select service in this example (vault)

  • Click Save

Client details

  • Open client (example client name vault)

  • Open tab Roles

  • Create role kv-manager

  • Assigne role to user

Vault side.

Open vault WEB UI

Got to Policies -> Create ACL policy.

Type kv-manager for policy name.
For policy paste this code:

path "sys/health"
{
  capabilities = ["read", "sudo"]
}

# Create and manage ACL policies broadly across Vault

# List existing policies
path "sys/policies/acl"
{
  capabilities = ["list"]
}

# Create and manage ACL policies
path "sys/policies/acl/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Enable and manage authentication methods broadly across Vault

# Manage auth methods broadly across Vault
path "auth/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Create, update, and delete auth methods
path "sys/auth/*"
{
  capabilities = ["create", "update", "delete", "sudo"]
}

# List auth methods
path "sys/auth"
{
  capabilities = ["read"]
}

# Enable and manage the key/value secrets engine at `secret/` path

# List, create, update, and delete key/value secrets
path "secret/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# Manage secrets engines
path "sys/mounts/*"
{
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

# List existing secrets engines.
path "sys/mounts"
{
  capabilities = ["read"]
}

Create policy.

Would you like to know more?
https://learn.hashicorp.com/tutorials/vault/policies#write-a-policy

Create Group

Got to Access -> Groups -> Create Group

Type kv-manager for group name, for type select external and for Policies select policy that you just created kv-manager

Select Create.

  • Open group newly created group
  • Select tab Aliases
  • Add Alias
  • For name type: kv-manager
  • For Auth Backend select oidc/(oidc)

Logout from vault WEB UI and login again using OIDC Method

Set OIDC Method as Default method:

Access vault command line:

docker exec -it vault ash
Inside container run this commands:

export VAULT_ADDR='http://127.0.0.1:8200'
vault login

Enter Token (will be hidden)
Where to find token?
Open vault WEB UI and in upper right corner under user profile copy token.

Finnaly Set OIDC Method as Default method:

vault auth tune -listing-visibility="unauth" oidc/

Notes

https://www.vaultproject.io/docs/secrets/cubbyhole

Vault Logout always default to token auth method on login page

https://github.com/hashicorp/vault/issues/10816

https://stackoverflow.com/questions/50031086/why-does-vault-by-hashicorp-require-the-ipc-lock-capability-to-be-enabled

https://learn.hashicorp.com/tutorials/vault/sop-restore

https://learn.hashicorp.com/tutorials/vault/sop-backup?in=vault/standard-procedures

https://learn.hashicorp.com/tutorials/vault/raft-storage

https://discuss.hashicorp.com/t/how-to-make-a-policy-for-creating-raft-storage-snapshots/14270/2

https://stackoverflow.com/questions/63878533/vault-error-server-gave-http-response-to-https-client

https://learn.hashicorp.com/tutorials/vault/getting-started-deploy

https://www.vaultproject.io/docs/configuration/storage/raft

https://learn.hashicorp.com/tutorials/vault/sop-backup

vault backup procedure